Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Strange & Random GET PHP Queries - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange & Random GET PHP Queries

Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:

/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php

I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi  (GET/POST) associated with "TheMoon" Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.

/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js

This last example is URL encoded:

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Which equate to: [3]

-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n

[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

411 Posts
ISC Handler
I've been getting close to the same in my logs but structured a bit differently:

[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/lqlq
[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Mon Jan 19 02:53:04 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/pma
[Mon Jan 19 02:53:05 2015] [error] [client 78.135.99.200] File does not exist: /usr/local/apache/htdocs/myadmin

They are always using a different letter combinations:

[Mon Jan 19 02:08:06 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/jaja
[Mon Jan 19 02:08:07 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Mon Jan 19 02:08:07 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/pma
[Mon Jan 19 02:08:08 2015] [error] [client 210.3.166.170] File does not exist: /usr/local/apache/htdocs/myadmin

Also, this on a regular basis:

[Sun Jan 18 06:28:02 2015] [error] [client 72.135.212.130] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /tmUnblock.cgi
Keith

1 Posts Posts
The first URL you comment on seems to be part of a detection script for phpmyadmin. My guess is it is looking for the 404 definition for your site so it knows if it's a permission denied or the scripts just don't exist

e.g.

a.b.c.d - - [18/Jan/2015:19:04:28 +0000] "GET /czcz/czc/cz.php HTTP/1.1" 404 217 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:29 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 230 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:30 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
a.b.c.d - - [18/Jan/2015:19:04:30 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 227 "-" "-"

e.f.g.h - - [18/Jan/2015:19:36:42 +0000] "GET /rfrf/rfr/rf.php HTTP/1.1" 404 217 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:42 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 230 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:43 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 223 "-" "-"
e.f.g.h - - [18/Jan/2015:19:36:43 +0000] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 227 "-" "-"
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!